topic Re: TCP Reset being dropped at firewall in General Topics

TCP Reset being dropped at firewall

GrantCampbell4 — Wed, 21 Jul 2021 15:41:48 GMT

I have a client accessing a Citrix CAG via a firewall at one site on HTTP that I see traversing the FW, exist out towards the internal PA firewall reaches its destination. The destination server is sending a TCP RST, we are told to redirect the browser to HTTPS, that TCP reset is sent all the way back to the firewall nearest the client, receive on the interface but the firewall drops it so the client never receives the TCP RST.

In detail....

Client (Internet IP) --- http ---> FW IP [ FW1 VR 1 ] NAT Src 10.1.1.1 Dst NAT 10.2.2.1 --- route to VR 2 ---> [FW 1 VR 2 ] --> Over WAN --> [FW2 VR 1 ] ---> Server

HTTP SYN sent and received at Server

Server sends TCP RST

TCP RST reaches FW1 on Rx capture

FW Drop capture logs all TCP RST to client

Can anyone advise why the PA drops TCP RST in such a scenario?

Thanks & Regards

Re: TCP Reset being dropped at firewall

SutareMayur — Mon, 26 Jul 2021 11:56:43 GMT

Hi @GrantCampbell4 ,

Taking packet capture on palo alto will give you more clarity about the flow and what's happening..

Re: TCP Reset being dropped at firewall

NikolayDimitrov — Tue, 27 Jul 2021 11:49:11 GMT

Please see my article for globalcounters, flow basic and pcap captures for such issues:

https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-palo-alto-checking-for-drops-rejects-discards/m-p/402102#M91777